qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Pewmod/TrojanDownloader_O97M_Pewmo...

28 lines
2.3 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_O97M_Pewmod_A{
meta:
description = "TrojanDownloader:O97M/Pewmod.A,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 04 00 00 01 00 "
strings :
$a_01_0 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 43 68 72 28 37 37 29 20 26 20 43 68 72 28 38 33 29 20 26 20 43 68 72 28 38 38 29 20 26 20 43 68 72 28 37 37 29 20 26 20 43 68 72 28 37 36 29 20 26 20 43 68 72 28 35 30 29 } //01 00
$a_01_1 = {2e 4f 70 65 6e 20 43 68 72 28 37 31 29 20 26 20 43 68 72 28 36 39 29 20 26 20 43 68 72 28 38 34 29 } //01 00
$a_01_2 = {45 6e 76 69 72 6f 6e 28 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 32 29 29 } //01 00
$a_01_3 = {46 49 52 45 46 4f 58 20 43 68 72 28 31 30 30 20 2b 20 34 29 20 26 20 43 68 72 28 31 31 30 20 2b 20 36 29 20 26 20 43 68 72 28 31 31 30 20 2b 20 36 29 20 26 20 43 68 72 28 31 31 30 20 2b 20 32 29 20 26 20 43 68 72 28 35 30 20 2b 20 38 29 20 26 20 43 68 72 28 34 30 20 2b 20 37 29 20 26 20 43 68 72 28 34 30 20 2b 20 37 29 } //00 00
$a_00_4 = {8f 56 } //01 00
condition:
any of ($a_*)
}
rule TrojanDownloader_O97M_Pewmod_A_2{
meta:
description = "TrojanDownloader:O97M/Pewmod.A,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 04 00 00 01 00 "
strings :
$a_01_0 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 32 30 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 30 38 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 36 29 20 26 20 43 68 72 28 31 32 30 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 30 38 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 32 29 29 } //01 00
$a_01_1 = {2e 4f 70 65 6e 20 43 68 72 28 37 31 29 20 26 20 43 68 72 28 36 39 29 20 26 20 43 68 72 28 38 34 29 } //01 00
$a_01_2 = {43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 32 29 20 26 20 43 68 72 28 35 38 29 20 26 20 43 68 72 28 34 37 29 20 26 20 43 68 72 28 34 37 29 } //01 00
$a_01_3 = {45 6e 76 69 72 6f 6e 28 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 32 29 29 } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink